User's Manual Part 2
56JadeOSUserManual
Forexample,configureauserrolenamedpre‐auththatpermitDNStraffic,butredi‐
rectallothertraffictoport443toperformauthenticationsbyDNAT;configurea
userrolenamedpost‐auththatallowallthetraffic;usethefollowingsteps:
(JadeOS) (config) #ip access-list session pre-auth-acl
(JadeOS) (config-sess-pre-auth-acl)#any any udp 53 permit
(JadeOS) (config-sess-pre-auth-acl)#any any tcp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#any any ucp 0 65535 dst-nat ip
10.0.0.2 443
(JadeOS) (config-sess-pre-auth-acl)#exit
(JadeOS) (config) #ip access-list session post-auth-acl
(JadeOS) (config-sess-post-auth-acl)#any any any permit
(JadeOS) (config-sess-pre-auth-acl)#exit
(JadeOS) (config)#user-role preauth
(JadeOS) (config-role)#access-list session pre-auth-acl
(JadeOS) (config)#user-role postauth
(JadeOS) (config-role)#access-list session post-auth-acl
9.3ConnectionsamongUser,VL ANandUserRole
EachuserhasitsownVLANIDinJadeOS.
SeveralwaystospecifyVLANforeachuser,forexample:
- IfauseraccessfromoneVLANinterface,user’sVLANistheinterface’sVLAN
ID;
- SpecifyaVLANforSSID;ifauseraccessfromthisSSID,user’sVLANisthe
specifiedVLAN;
EachVLANhasanAAApolicy;pleaserefertochapter9.4formoreinformation.
EachAAApolicydefinestheuserrolebeforeauthenticationandafterauthentication
(includingnetworkaccessandbandwidthcontrol).Userwillswitchuserroleafter
authentication.
9.4ConfiguringAAAProfile
AAAprofileisaprofileaboutauthenticationconfiguration.Profilespecifiesthe
authenticationways(webportal,802.1x,andMACauthentication),initialrole(role
beforeauthentication),defaultrole(roleafterauthentication),RadiusServerandso
on.
ApplyAAAprofiletooneVLAN,andthenalltheuserintheVLANcanuseAAAprofile.
Beforeconfiguration,youneedtoconfigureACL,Role,Radiusservergroup,authen‐
ticationways,andthenapplythemtotheAAAprofile.